Total
6931 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-1010246 | 1 Mailcleaner | 1 Mailcleaner | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
MailCleaner before c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9 is affected by: Unauthenticated MySQL database password information disclosure. The impact is: MySQL database content disclosure (e.g. username, password). The component is: The API call in the function allowAction() in NewslettersController.php. The attack vector is: HTTP Get request. The fixed version is: c888fbb6aaa7c5f8400f637bcf1cbb844de46cd9.
|
|||||
| CVE-2019-1010152 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: user/manage.php line 31-80.
|
|||||
| CVE-2019-1010150 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
zzcms 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: getshell. The component is: /user/zssave.php.
|
|||||
| CVE-2019-1010149 | 1 Zzcms | 1 Zzcms | 2024-11-21 | 7.5 HIGH | 9.8 CRITICAL |
|
zzcms version 8.3 and earlier is affected by: File Delete to Code Execution. The impact is: zzcms File Delete to Code Execution. The component is: user/licence_save.php.
|
|||||
| CVE-2019-1010066 | 1 Llnl | 1 Model Specific Registers-safe | 2024-11-21 | 5.0 MEDIUM | 7.5 HIGH |
|
Lawrence Livermore National Laboratory msr-safe v1.1.0 is affected by: Incorrect Access Control. The impact is: An attacker could modify model specific registers. The component is: ioctl handling. The attack vector is: An attacker could exploit a bug in ioctl interface whitelist checking, in order to write to model specific registers, normally a function reserved for the root user. The fixed version is: v1.2.0.
|
|||||
| CVE-2019-1003099 | 1 Jenkins | 1 Openid | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins openid Plugin in the OpenIdSsoSecurityRealm.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003093 | 1 Jenkins | 1 Nomad | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Nomad Plugin in the NomadCloud.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003091 | 1 Jenkins | 1 Soasta Cloudtest | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins SOASTA CloudTest Plugin in the CloudTestServer.DescriptorImpl#doValidate form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003087 | 1 Jenkins | 1 Chef Sinatra | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Chef Sinatra Plugin in the ChefBuilderConfiguration.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003085 | 1 Jenkins | 1 Zephyr Enterprise Test Management | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Zephyr Enterprise Test Management Plugin in the ZeeDescriptor#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003083 | 1 Jenkins | 1 Gearman | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Gearman Plugin in the GearmanPluginConfig#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003081 | 1 Jenkins | 1 Openshift Deployer | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins OpenShift Deployer Plugin in the DeployApplication.DeployApplicationDescriptor#doCheckLogin form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003079 | 1 Jenkins | 1 Vmware Lab Manager Slaves | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins VMware Lab Manager Slaves Plugin in the LabManager.DescriptorImpl#doTestConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003077 | 1 Jenkins | 1 Audit To Database | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Audit to Database Plugin in the DbAuditPublisherDescriptorImpl#doTestJdbcConnection form validation method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003059 | 1 Jenkins | 1 Ftp Publisher | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins FTP publisher Plugin in the FTPPublisher.DescriptorImpl#doLoginCheck method allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003047 | 1 Jenkins | 1 Fortify On Demand Uploader | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
A missing permission check in Jenkins Fortify on Demand Uploader Plugin 3.0.10 and earlier allows attackers with Overall/Read permission to initiate a connection to an attacker-specified server.
|
|||||
| CVE-2019-1003043 | 1 Jenkins | 1 Slack Notification | 2024-11-21 | 3.5 LOW | 7.5 HIGH |
|
A missing permission check in Jenkins Slack Notification Plugin 2.19 and earlier allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2019-1003037 | 1 Jenkins | 1 Azure Vm Agents | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.
|
|||||
| CVE-2019-1003036 | 1 Jenkins | 1 Azure Vm Agents | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A data modification vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgent.java that allows attackers with Overall/Read permission to attach a public IP address to an Azure VM agent.
|
|||||
| CVE-2019-1003035 | 1 Jenkins | 1 Azure Vm Agents | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
An information exposure vulnerability exists in Jenkins Azure VM Agents Plugin 0.8.0 and earlier in src/main/java/com/microsoft/azure/vmagent/AzureVMAgentTemplate.java, src/main/java/com/microsoft/azure/vmagent/AzureVMCloud.java that allows attackers with Overall/Read permission to perform the 'verify configuration' form validation action, thereby obtaining limited information about the Azure configuration.
|
|||||
| CVE-2019-1003025 | 1 Jenkins | 1 Cloud Foundry | 2024-11-21 | 4.0 MEDIUM | 8.8 HIGH |
|
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
|
|||||
| CVE-2019-1003006 | 1 Jenkins | 1 Groovy | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
|
|||||
| CVE-2019-1000017 | 1 Chamilo | 1 Chamilo Lms | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Chamilo Chamilo-lms version 1.11.8 and earlier contains an Incorrect Access Control vulnerability in Tickets component that can result in an authenticated user can read all tickets available on the platform, due to lack of access controls. This attack appears to be exploitable via ticket_id=[ticket number]. This vulnerability appears to have been fixed in 1.11.x after commit 33e2692a37b5b6340cf5bec1a84e541460983c03.
|
|||||
| CVE-2019-0573 | 1 Microsoft | 3 Windows 10, Windows Server 2016, Windows Server 2019 | 2024-11-21 | 6.8 MEDIUM | 7.8 HIGH |
|
An elevation of privilege vulnerability exists when the Windows Data Sharing Service improperly handles file operations, aka "Windows Data Sharing Service Elevation of Privilege Vulnerability." This affects Windows Server 2016, Windows 10, Windows Server 2019, Windows 10 Servers. This CVE ID is unique from CVE-2019-0571, CVE-2019-0572, CVE-2019-0574.
|
|||||
| CVE-2019-0566 | 1 Microsoft | 4 Edge, Windows 10, Windows Server 2016 and 1 more | 2024-11-21 | 6.8 MEDIUM | 8.8 HIGH |
|
An elevation of privilege vulnerability exists in Microsoft Edge Browser Broker COM object, aka "Microsoft Edge Elevation of Privilege Vulnerability." This affects Microsoft Edge.
|
|||||
| CVE-2019-0555 | 1 Microsoft | 6 Windows 10, Windows 8.1, Windows Rt 8.1 and 3 more | 2024-11-21 | 4.4 MEDIUM | 7.8 HIGH |
|
An elevation of privilege vulnerability exists in the Microsoft XmlDocument class that could allow an attacker to escape from the AppContainer sandbox in the browser, aka "Microsoft XmlDocument Elevation of Privilege Vulnerability." This affects Windows Server 2012 R2, Windows RT 8.1, Windows Server 2012, Windows Server 2019, Windows Server 2016, Windows 8.1, Windows 10, Windows 10 Servers.
|
|||||
| CVE-2019-0386 | 1 Sap | 2 Erp Sales, S4hana Sales | 2024-11-21 | 6.5 MEDIUM | 6.3 MEDIUM |
|
Order processing in SAP ERP Sales (corrected in SAP_APPL 6.0, 6.02, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18) and S4HANA Sales (corrected in S4CORE 1.0, 1.01, 1.02, 1.03, 1.04) does not execute the required authorization checks for an authenticated user, which can result in an escalation of privileges.
|
|||||
| CVE-2019-0367 | 1 Sap | 1 Netweaver Process Integration | 2024-11-21 | 4.0 MEDIUM | 4.3 MEDIUM |
|
SAP NetWeaver Process Integration (B2B Toolkit), before versions 1.0 and 2.0, does not perform necessary authorization checks for an authenticated user, allowing the import of B2B table content that leads to Missing Authorization Check.
|
|||||
| CVE-2019-0349 | 1 Sap | 1 Advanced Business Application Programming Platform Kernel | 2024-11-21 | 6.5 MEDIUM | 7.2 HIGH |
|
SAP Kernel (ABAP Debugger), versions KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, KERNEL 7.21, 7.49, 7.53, 7.73, 7.75, 7.76, 7.77, allows a user to execute “Go to statement” without possessing the authorization S_DEVELOP DEBUG 02, resulting in Missing Authorization Check
|
|||||
| CVE-2019-0325 | 1 Sap | 1 Erp Hcm | 2024-11-21 | 4.9 MEDIUM | 4.2 MEDIUM |
|
SAP ERP HCM (SAP_HRCES) , version 3, does not perform necessary authorization checks for a report that reads payroll data of employees in a certain area. Due to this under certain conditions, the user that once had authorization to payroll data of an employee, which was later revoked, may retain access to the same data.
|
|||||
| CVE-2019-0293 | 1 Sap | 1 Sap Solution Manager System | 2024-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
|
Read of RFC destination does not always perform necessary authorization checks, resulting in escalation of privileges to access information on RFC destinations on managed systems and SAP Solution Manager system (ST-PI, before versions 2008_1_700, 2008_1_710, and 740).
|
|||||
| CVE-2019-0280 | 1 Sap | 1 Treasury And Risk Management | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SAP Treasury and Risk Management (EA-FINSERV 6.0, 6.03, 6.04, 6.05, 6.06, 6.16, 6.17, 6.18 and 8.0; S4CORE 1.01, 1.02 and 1.03), does not perform necessary authorization checks for authorization objects T_DEAL_DP and T_DEAL_PD , resulting in escalation of privileges.
|
|||||
| CVE-2019-0279 | 1 Sap | 1 Business Application Software Integrated Solution | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
ABAP BASIS function modules INST_CREATE_R3_RFC_DEST, INST_CREATE_TCPIP_RFCDEST, and INST_CREATE_TCPIP_RFC_DEST in SAP BASIS (fixed in versions 7.0 to 7.02, 7.10 to 7.30, 7.31, 7.40, 7.50 to 7.53) do not perform necessary authorization checks in all circumstances for an authenticated user, resulting in escalation of privileges.
|
|||||
| CVE-2019-0270 | 1 Sap | 5 Advanced Business Application Programming Platform Kernel, Advanced Business Application Programming Platform Krnl32nuc, Advanced Business Application Programming Platform Krnl32uc and 2 more | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
ABAP Server of SAP NetWeaver and ABAP Platform fail to perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has been corrected in the following versions: KRNL32NUC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL32UC 7.21, 7.21EXT, 7.22, 7.22EXT, KRNL64NUC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.74, KRNL64UC 7.21, 7.21EXT, 7.22, 7.22EXT, 7.49, 7.73, 7.74, 8.04, KERNEL 7.21, 7.45, 7.49, 7.53, 7.73, 7.74, 7.75, 8.04.
|
|||||
| CVE-2019-0258 | 1 Sap | 1 Disclosure Management | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
SAP Disclosure Management, version 10.01, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
|
|||||
| CVE-2019-0257 | 1 Sap | 2 Netweaver Application Server Abap, Netweaver As Abap | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Customizing functionality of SAP NetWeaver AS ABAP Platform (fixed in versions from 7.0 to 7.02, from 7.10 to 7.11, 7.30, 7.31, 7.40, from 7.50 to 7.53, from 7.74 to 7.75) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
|
|||||
| CVE-2019-0243 | 1 Sap | 1 Bw\/4hana | 2024-11-21 | 6.5 MEDIUM | 8.8 HIGH |
|
Under some circumstances, masterdata maintenance in SAP BW/4HANA (fixed in DW4CORE version 1.0 (SP08)) does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges.
|
|||||
| CVE-2019-0201 | 5 Apache, Debian, Netapp and 2 more | 11 Activemq, Drill, Zookeeper and 8 more | 2024-11-21 | 4.3 MEDIUM | 5.9 MEDIUM |
|
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for ...
Show More |
|||||
| CVE-2018-9548 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In multiple functions of ContentProvider.java, there is a possible permission bypass due to a missing URI validation. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9. Android ID: A-112555574.
|
|||||
| CVE-2018-9457 | 1 Google | 1 Android | 2024-11-21 | 2.1 LOW | 5.5 MEDIUM |
|
In onCheckedChanged of BluetoothPairingController.java, there is a possible way to retrieve contact information due to a permissions bypass. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android. Versions: Android-8.0 Android-8.1 Android-9. Android ID: A-72872376
|
|||||